Retire CRYPTO_F_MPSAFE it is no longer of any use. The crypto framework
no longer uses a callback and so there is no need to define the
callback as MPSAFE.
OK bluhm@

Remove unused variables and assignments in ah and esp output.
found by clang 13; OK tobhe@

IPsec is not MP safe yet. To allow forwarding in parallel without
dirty hacks, it is better to protect IPsec input and output with
kernel lock. Not much is lost as crypto needs the kernel lock
anyway. From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path. Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@

Remove unused variable 'clen'.

ok bluhm@

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Allow to build kernel without IPSEC or INET6 defines.
OK mpi@ mvs@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Do not call ip_deliver() recursively from IPsec. As there is no
crypto task anymore, it is possible to return the next protocol.
Then ip_deliver() will walk the header chain in its loop.
IPsec bridge(4) tested by jan@
OK mvs@ tobhe@ jan@

Fix use of uninitialized variable 'rpl'.

Found by jsg@
ok patrick@

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@

Remove crp_etype and return errors directly from crypto_invoke()

ok patrick@

Pass the error of the IPsec callback to the caller. The dropped
counter is handled there.
OK tobhe@

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@

Make error handling in IPsec consistent. Pass errors to the callers.
OK tobhe@

Remove code to run crypto operations in a task queue. The code was
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.

ok patrick@ mvs@ bluhm@

The function crypto_dispatch() never returns an error. Make it
void and remove error handling in the callers.
OK patrick@ mvs@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Do not queue crypto operations for IPsec. The packet entries in
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@

The crypto(9) framework used by IPsec runs on a kernel task that
is protected by kernel lock. There were crashes in swcr_authenc()
when it was accessing swcr_sessions. As a quick fix, protect all
calls from network stack to crypto with kernel lock. This also
covers the rekeying case that is called from pfkey via tdb_init().
OK mvs@

we don't have to cast to caddr_t when calling m_copydata anymore.

the first cut of this diff was made with coccinelle using this spatch:

@rule@
type caddr_t;
expression m, off, len, cp;
@@
-m_copydata(m, off, len, (caddr_t)cp)
+m_copydata(m, off, len, cp)

i had fix it's opinionated idea of formatting by hand though, so
i'm not sure it was worth it.

ok deraadt@ bluhm@

Make sure the first packet of an SA has sequence number 1 (as described in
RFC 4302 and RFC 4303). It seems this was changed by accident when support
for 64 bit sequence numbers was added.

ok bluhm@ patrick@

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@ visa@
visa@ also made sure i fixed ipw(4) so i386 won't break.

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@

Cleanup IPsec AH error handling with consistent goto drop.
with and OK markus@; input mpi@

Do not assume that mbufs within a chain do not have M_PKTHDR set.
This could happen during fragment reassembly. Better check if we
are dealing with the first mbuf of the chain.
m_adj() changes the length of the mbuf, obviously. So when using
this length to calulate the amount of adjustment, do not calculate
it again after m_adj() with wrong input. Use a temporary variable
to save the value.
from Maxime Villard, NetBSD; OK markus@ claudio@

branches: 1.138.2;
When processing IPsec AH packets check that the header fits into
the packet length.
found by Maxime Villard; from FreeBSD; OK procter@ markus@

make kernel compile again without INET6
ok mpi@

comment change only. ok bluhm@

Do some cleanup in ah_massage_headers().
- Declare global array ipseczeroes containing zeroes constant.
- The proto parameter contains the address family, so call it af.
- Remove an unused if block, just keep the else.
- If m_copyback(M_NOWAIT) fails, return with error instead of working
with an inconsistent mbuf.
- ip6_nxt is u_int8_t, no need to clear the high bits.
- The offset and next protocol are advanced for all extension
headers, move it after the switch.
- ah_massage_headers() returns an errno, call the variable error.
OK procter@

When processing IPsec AH packets with IP options or IPv6 extension
headers, check all lengths before accessing the values.
found by Maxime Villard; from NetBSD; with and OK markus@; OK patrick@

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@

Use %s and __func__ in DPRINTF() to reduce false positive with grep(1).

ok kettenis@, dhill@, visa@, jca@

branches: 1.131.4;
Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

add sizes to free() calls

branches: 1.129.4;
Put back a return that I have removed by accident.

IPsec packets could be dropped unaccounted if output after crypto
failed. Add a counter for that case.
OK dhill@

Reduce the per-packet allocation costs for crypto operations (cryptop)
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.

This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.

From, with and ok markus@, ok bluhm@
"looks sane" mpi@

The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@

Grab the NET_LOCK() in various callbacks.

Fix an assert reported by Hrvoje Popovski.

ok visa@, mikeb@

Grab the NET_LOCK() before calling ipsp_process_done() as it ends up
in ip_output().

Found the hardway by and ok kettenis@

convert bcopy to memcpy. from david hill.

avoid extensive mbuf allocation for IPsec by replacing m_inject(4)
with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@

fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.

m_dup_pkt panics cos of that.

this makes ipsec duplicate the whole packet if any of the chain is
readonly.

found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@

replace the last uses of m_copym2 with m_dup_pkt.

ok mpi@ visa@

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Use proper argument type for crp_callback functions; no functional change.

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

make ipsp_address thread safe; ok mpi

remove KPDK. not really used, and a bad choice anyway. ok naddy

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bpf code surgery / shuffling / simplification.
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno

bzero/bcmp -> memset/memcmp. ok matthew

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@

add M_ZEROIZE as an mbuf flag, so copied PFKEY messages (with embedded keys)
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

m_copyback can fail to allocate memory, but is a void fucntion so gymnastics
are required to detect that.

Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error

ok claudio@ henning@ krw@

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@

Replace enc(4) with a new implementation as a cloner device. We still
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.

manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt

remove dead stores and newly created unused variables.

Found by LLVM/Clang Static Analyzer.

ok mpf@ looks good mk@ ok henning@

Convert MALLOC/FREE to malloc/free.

ok gilles@

MALLOC+bzero -> malloc+M_ZERO. Don't forget FREE->free this time.

'Fixes' two cases where the zeroing did not cover all the memory
allocated.

As with many of the last commits, looked at by chl@ in an earlier
version.

Consistently spell FALLTHROUGH to appease lint.
ok kettenis@ cloder@ tom@ henning@

- AH: when computing crypto checksum for output, massage source-routing
header.
- ipsec_input: fix mistake in IPv6 next-header chasing.
- ipsec_output: look for the position to insert AH more carefully.
- ip6_output: enable use of AH with extension headers.
avoid tunnellinng when source-routing header is present.

ok by deraad, naddy, hshoexer

make enc(4) count; ok markus@ henning@ deraadt@

use IN6_IS_SCOPE_EMBED to check kernel-internal form addresses
(s6_addr16[1] filled)
ok dhartmei

Only preemptively increase the replay counter for outbound TDBs.

Another ipsec failover fix from nathanael at polymorpheus dot com.

ok hshoexer@

allow bpf(4) to ignore packets based on their direction (inbound or
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@

use M_READONLY when trying to find out whether we have to copy
the mbuf before encryption. otherwise mbufs with M_EXT but w/o M_CLUSTER
get modified; ok hshoexer

Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain
to bpf with either an address family or other header added.

These helpers only allocate a much smaller struct m_hdr on the stack when
needed, rather than leaving 256 byte struct mbufs on the stack in deep
call paths. Also removes a fair bit of duplicated code.

commit now, tune after deraadt@

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@

comment out unused PACKET_TAG_IPSEC_IN_CRYPTO_DONE code; ok hshoexer

m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.

conform to RFC2367 on SADB_xx naming (local name must be prefixed with
SADB_X_xx)

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok

do not flip ip_len/ip_off in netinet stack. deraadt ok.
(please test, especially PF portion)

just as a safety measure, set m_flags to 0 for mbufs allocated on stack.
dhartmei ok

o sanity check mbuf earlier.
o return errno, not NULL.
o add some missing error values
o proper crypto_freereq() in ip_ipcomp.c
From Patrick Latifi; OK angelos@

Avoid using FREEd data when we get a crypto error; Patrick Latifi
Also move the session ID reset into the crp_etype == EAGAIN case
(noticed by angelos@). OK jason@ and angelos@

Based on several comments from tedu:
- two variables 'err' and 'error', whacked
- missing initialization in the error path for the case where an SA expired
while off in crypto land.
- a small bit of knf.

Remove commons; inspired by netbsd.

Free crp_opaque only after we've determined we're not going to
re-submit it. From sam@errno.com

Update correct statistic if m_inject() fails --- from sam@errno.com

KNF

Initialize mo to NULL, for good measure -- sam@errno.com

Fix reference to free'ed location (unreachable condition because of
spl protection, but better safe...) --- pointed out by sam@errno.com

Set/clear M_AUTH_AH.

Fix a DoS attack whereby an attacker could cause the replay counter to
advance with unauthenticated packets, thereby causing valid packets to
be discarded as replays. This has been sitting in my tree for a while,
and I've forgotten who it was that pointed out the problem.

branches: 1.63.4;
KNF

Copyright.

merge crypto/crypto{dev,}.h to crypto/cryptodev.h, to avoid name conflicts inside OpenSSL codebase

Remove unneeded ip_id convertions.
Instead of using HTONS macro in some places, use htons directly in the
struct member and save us a few bytes.
Fix comment.

Trim include files.

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.

Update to match prototypes.

Handle TDBF_SKIPCRYPTO on output, and PACKET_TAG_IPSEC_IN_CRYPTO_DONE
on input.

Probably a good idea to pass the NULL to the correct function...

Pass a NULL packet tag for now to ipsp_common_input_cb().

convert mbuf and cluster allocation to pool, mostly from NetBSD
okay art@ miod@

initial cut at /dev/crypto support. takes original mbuf "try, and discard
if we fail" semantics and extends to two varients of data movement: mbuf,
or an iovec style block.

Move bzero() after test for correct allocation (jj@wabbitt.org)

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok

tighten IPv4 option header processing (we may want to do more).
reviewed by angelos.

*HMAC96->*HMAC

branches: 1.44.2;
Lots and lots of changes.

Careful with ip_off

try to cope with AH6 with scoped address case better.

Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're
defined to be the same in mbuf.h)

The callbacks need to set the appropriate spl level now.

Get rid of tdb_ref, keep indirect pointer to TDB.

Check for invalid TDBs right away in the callbacks.

when fixing up the header, copy from the right sized datatype (fixes IPsec
on big-endian machines)

Fix casting so it compiles on alphas (testing by janjaap@stack.nl,
closing pr #1150)

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.

branches: 1.34.2;
fix include file path related to ip6.

Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).

Ok, no more IPsec for OpenBSD...I've had enough with it.

Forgot a printf...

New ah_new_input(), protocol-independent processing (still lacking
IPv6-specific protocol header processing).

Oops, typo.

Some preliminiries to AH revamping (similar to ESP)...

New ESP code that's v4 and v6 friendly.

gettdb() should be at spltdb().

Support multiple enc interfaces.

remove bogus entry from if_enc address list; and rename enc_softc to encif

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.

A new scalable IPsec SA expiration model.

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.

Make the tdbi handling more robust, removes a panic case

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.

make the packets which were successfully processed by IPSec available to
bpf via the enc0 interface, using linktype DLT_ENC.

avoid source address spoofing for mutual hostile hosts which have SAs to
us, reported by Craig Metz <cmetz@inner.net>.

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.

conditional error logging

log() needs a \n

expiration messages, fixes, updates, all sorts of things

enablespi/disablespi in encap + print spi's in hostorder

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.

major restructuring

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes

ah-sha1 + esp-3des + indentation

I/O packet counters for IP-in-IP and AH.

OpenBSD tags + some prototyping police

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Remove unused variables and assignments in ah and esp output.
found by clang 13; OK tobhe@

IPsec is not MP safe yet. To allow forwarding in parallel without
dirty hacks, it is better to protect IPsec input and output with
kernel lock. Not much is lost as crypto needs the kernel lock
anyway. From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path. Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@

Remove unused variable 'clen'.

ok bluhm@

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Allow to build kernel without IPSEC or INET6 defines.
OK mpi@ mvs@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Do not call ip_deliver() recursively from IPsec. As there is no
crypto task anymore, it is possible to return the next protocol.
Then ip_deliver() will walk the header chain in its loop.
IPsec bridge(4) tested by jan@
OK mvs@ tobhe@ jan@

Fix use of uninitialized variable 'rpl'.

Found by jsg@
ok patrick@

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@

Remove crp_etype and return errors directly from crypto_invoke()

ok patrick@

Pass the error of the IPsec callback to the caller. The dropped
counter is handled there.
OK tobhe@

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@

Make error handling in IPsec consistent. Pass errors to the callers.
OK tobhe@

Remove code to run crypto operations in a task queue. The code was
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.

ok patrick@ mvs@ bluhm@

The function crypto_dispatch() never returns an error. Make it
void and remove error handling in the callers.
OK patrick@ mvs@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Do not queue crypto operations for IPsec. The packet entries in
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@

The crypto(9) framework used by IPsec runs on a kernel task that
is protected by kernel lock. There were crashes in swcr_authenc()
when it was accessing swcr_sessions. As a quick fix, protect all
calls from network stack to crypto with kernel lock. This also
covers the rekeying case that is called from pfkey via tdb_init().
OK mvs@

we don't have to cast to caddr_t when calling m_copydata anymore.

the first cut of this diff was made with coccinelle using this spatch:

@rule@
type caddr_t;
expression m, off, len, cp;
@@
-m_copydata(m, off, len, (caddr_t)cp)
+m_copydata(m, off, len, cp)

i had fix it's opinionated idea of formatting by hand though, so
i'm not sure it was worth it.

ok deraadt@ bluhm@

Make sure the first packet of an SA has sequence number 1 (as described in
RFC 4302 and RFC 4303). It seems this was changed by accident when support
for 64 bit sequence numbers was added.

ok bluhm@ patrick@

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@ visa@
visa@ also made sure i fixed ipw(4) so i386 won't break.

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@

Cleanup IPsec AH error handling with consistent goto drop.
with and OK markus@; input mpi@

Do not assume that mbufs within a chain do not have M_PKTHDR set.
This could happen during fragment reassembly. Better check if we
are dealing with the first mbuf of the chain.
m_adj() changes the length of the mbuf, obviously. So when using
this length to calulate the amount of adjustment, do not calculate
it again after m_adj() with wrong input. Use a temporary variable
to save the value.
from Maxime Villard, NetBSD; OK markus@ claudio@

branches: 1.138.2;
When processing IPsec AH packets check that the header fits into
the packet length.
found by Maxime Villard; from FreeBSD; OK procter@ markus@

make kernel compile again without INET6
ok mpi@

comment change only. ok bluhm@

Do some cleanup in ah_massage_headers().
- Declare global array ipseczeroes containing zeroes constant.
- The proto parameter contains the address family, so call it af.
- Remove an unused if block, just keep the else.
- If m_copyback(M_NOWAIT) fails, return with error instead of working
with an inconsistent mbuf.
- ip6_nxt is u_int8_t, no need to clear the high bits.
- The offset and next protocol are advanced for all extension
headers, move it after the switch.
- ah_massage_headers() returns an errno, call the variable error.
OK procter@

When processing IPsec AH packets with IP options or IPv6 extension
headers, check all lengths before accessing the values.
found by Maxime Villard; from NetBSD; with and OK markus@; OK patrick@

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@

Use %s and __func__ in DPRINTF() to reduce false positive with grep(1).

ok kettenis@, dhill@, visa@, jca@

branches: 1.131.4;
Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

add sizes to free() calls

branches: 1.129.4;
Put back a return that I have removed by accident.

IPsec packets could be dropped unaccounted if output after crypto
failed. Add a counter for that case.
OK dhill@

Reduce the per-packet allocation costs for crypto operations (cryptop)
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.

This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.

From, with and ok markus@, ok bluhm@
"looks sane" mpi@

The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@

Grab the NET_LOCK() in various callbacks.

Fix an assert reported by Hrvoje Popovski.

ok visa@, mikeb@

Grab the NET_LOCK() before calling ipsp_process_done() as it ends up
in ip_output().

Found the hardway by and ok kettenis@

convert bcopy to memcpy. from david hill.

avoid extensive mbuf allocation for IPsec by replacing m_inject(4)
with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@

fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.

m_dup_pkt panics cos of that.

this makes ipsec duplicate the whole packet if any of the chain is
readonly.

found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@

replace the last uses of m_copym2 with m_dup_pkt.

ok mpi@ visa@

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Use proper argument type for crp_callback functions; no functional change.

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

make ipsp_address thread safe; ok mpi

remove KPDK. not really used, and a bad choice anyway. ok naddy

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bpf code surgery / shuffling / simplification.
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno

bzero/bcmp -> memset/memcmp. ok matthew

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@

add M_ZEROIZE as an mbuf flag, so copied PFKEY messages (with embedded keys)
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

m_copyback can fail to allocate memory, but is a void fucntion so gymnastics
are required to detect that.

Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error

ok claudio@ henning@ krw@

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@

Replace enc(4) with a new implementation as a cloner device. We still
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.

manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@

Fix two bugs in IPsec/HMAC-SHA2:
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.

WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.

ok+tests naddy, fries; requested by reyk/deraadt

remove dead stores and newly created unused variables.

Found by LLVM/Clang Static Analyzer.

ok mpf@ looks good mk@ ok henning@

Convert MALLOC/FREE to malloc/free.

ok gilles@

MALLOC+bzero -> malloc+M_ZERO. Don't forget FREE->free this time.

'Fixes' two cases where the zeroing did not cover all the memory
allocated.

As with many of the last commits, looked at by chl@ in an earlier
version.

Consistently spell FALLTHROUGH to appease lint.
ok kettenis@ cloder@ tom@ henning@

- AH: when computing crypto checksum for output, massage source-routing
header.
- ipsec_input: fix mistake in IPv6 next-header chasing.
- ipsec_output: look for the position to insert AH more carefully.
- ip6_output: enable use of AH with extension headers.
avoid tunnellinng when source-routing header is present.

ok by deraad, naddy, hshoexer

make enc(4) count; ok markus@ henning@ deraadt@

use IN6_IS_SCOPE_EMBED to check kernel-internal form addresses
(s6_addr16[1] filled)
ok dhartmei

Only preemptively increase the replay counter for outbound TDBs.

Another ipsec failover fix from nathanael at polymorpheus dot com.

ok hshoexer@

allow bpf(4) to ignore packets based on their direction (inbound or
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@

use M_READONLY when trying to find out whether we have to copy
the mbuf before encryption. otherwise mbufs with M_EXT but w/o M_CLUSTER
get modified; ok hshoexer

Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain
to bpf with either an address family or other header added.

These helpers only allocate a much smaller struct m_hdr on the stack when
needed, rather than leaving 256 byte struct mbufs on the stack in deep
call paths. Also removes a fair bit of duplicated code.

commit now, tune after deraadt@

Add SA replay counter synchronization to pfsync(4). Required for IPsec
failover gateways. ok mcbride@, "looks good" hshoexer@

comment out unused PACKET_TAG_IPSEC_IN_CRYPTO_DONE code; ok hshoexer

m_copyback()'s 4th arg is const void *, nuke (caddr_t) casts.

conform to RFC2367 on SADB_xx naming (local name must be prefixed with
SADB_X_xx)

hmac-sha2-{256,384,512} support in AH/ESP auth. markus ok

do not flip ip_len/ip_off in netinet stack. deraadt ok.
(please test, especially PF portion)

just as a safety measure, set m_flags to 0 for mbufs allocated on stack.
dhartmei ok

o sanity check mbuf earlier.
o return errno, not NULL.
o add some missing error values
o proper crypto_freereq() in ip_ipcomp.c
From Patrick Latifi; OK angelos@

Avoid using FREEd data when we get a crypto error; Patrick Latifi
Also move the session ID reset into the crp_etype == EAGAIN case
(noticed by angelos@). OK jason@ and angelos@

Based on several comments from tedu:
- two variables 'err' and 'error', whacked
- missing initialization in the error path for the case where an SA expired
while off in crypto land.
- a small bit of knf.

Remove commons; inspired by netbsd.

Free crp_opaque only after we've determined we're not going to
re-submit it. From sam@errno.com

Update correct statistic if m_inject() fails --- from sam@errno.com

KNF

Initialize mo to NULL, for good measure -- sam@errno.com

Fix reference to free'ed location (unreachable condition because of
spl protection, but better safe...) --- pointed out by sam@errno.com

Set/clear M_AUTH_AH.

Fix a DoS attack whereby an attacker could cause the replay counter to
advance with unauthenticated packets, thereby causing valid packets to
be discarded as replays. This has been sitting in my tree for a while,
and I've forgotten who it was that pointed out the problem.

branches: 1.63.4;
KNF

Copyright.

merge crypto/crypto{dev,}.h to crypto/cryptodev.h, to avoid name conflicts inside OpenSSL codebase

Remove unneeded ip_id convertions.
Instead of using HTONS macro in some places, use htons directly in the
struct member and save us a few bytes.
Fix comment.

Trim include files.

The IPsec-aware NIC cards don't pass the ICV for later verification
by the stack; that means, if we have a tag it means the ICV was
successfully verified and we don't need to do anything else. As well,
we don't need any other status information from the NIC.

Update to match prototypes.

Handle TDBF_SKIPCRYPTO on output, and PACKET_TAG_IPSEC_IN_CRYPTO_DONE
on input.

Probably a good idea to pass the NULL to the correct function...

Pass a NULL packet tag for now to ipsp_common_input_cb().

convert mbuf and cluster allocation to pool, mostly from NetBSD
okay art@ miod@

initial cut at /dev/crypto support. takes original mbuf "try, and discard
if we fail" semantics and extends to two varients of data movement: mbuf,
or an iovec style block.

Move bzero() after test for correct allocation (jj@wabbitt.org)

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

convert SA expirations to the new timeouts.
simplifies expirations handling a lot.
tdb_exp_timeout and tdb_soft_timeout are made
consistant throughout the code to be a relative time offsets,
just like first_use timeouts.
tested on singlehost isakmpd setup.
lots of dangling spaces and tabs removed.
angelos@ ok

tighten IPv4 option header processing (we may want to do more).
reviewed by angelos.

*HMAC96->*HMAC

branches: 1.44.2;
Lots and lots of changes.

Careful with ip_off

try to cope with AH6 with scoped address case better.

Use M_NOWAIT instead of M_DONTWAIT in MALLOC() (even though they're
defined to be the same in mbuf.h)

The callbacks need to set the appropriate spl level now.

Get rid of tdb_ref, keep indirect pointer to TDB.

Check for invalid TDBs right away in the callbacks.

when fixing up the header, copy from the right sized datatype (fixes IPsec
on big-endian machines)

Fix casting so it compiles on alphas (testing by janjaap@stack.nl,
closing pr #1150)

Cryptographic services framework, and software "device driver". The
idea is to support various cryptographic hardware accelerators (which
may be (detachable) cards, secondary/tertiary/etc processors,
software crypto, etc). Supports session migration between crypto
devices. What it doesn't (yet) support:
- multiple instances of the same algorithm used in the same session
- use of multiple crypto drivers in the same session
- asymmetric crypto

No support for a userland device yet.

IPsec code path modified to allow for asynchronous cryptography
(callbacks used in both input and output processing). Some unrelated
code simplification done in the process (especially for AH).

Development of this code kindly supported by Network Security
Technologies (NSTI). The code was writen mostly in Greece, and is
being committed from Montreal.

branches: 1.34.2;
fix include file path related to ip6.

Merge "old" and "new" ESP and AH in two files (one for each).
Fix a couple of buglets with ingress flow deletion.
tcpdump on enc0 should now show all outgoing packets *before* being
processed, and all incoming packets *after* being processed.

Good to be in Canada (land of the free commits).

Ok, no more IPsec for OpenBSD...I've had enough with it.

Forgot a printf...

New ah_new_input(), protocol-independent processing (still lacking
IPv6-specific protocol header processing).

Oops, typo.

Some preliminiries to AH revamping (similar to ESP)...

New ESP code that's v4 and v6 friendly.

gettdb() should be at spltdb().

Support multiple enc interfaces.

remove bogus entry from if_enc address list; and rename enc_softc to encif

spltdb introduced, protection for tdb lists and related structures, so
they won't disappear behind our back by an expiration. Cleanup expiration
logic too.

A new scalable IPsec SA expiration model.

Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.
If you are going to use either of AH or ESP or both, enable these in
/etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now
named net.inet.ip.encdebug. Some corrected function signatures too.

Make the tdbi handling more robust, removes a panic case

add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing
SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew. this was all done in canada. dugsong and linh
provided the ride and company.

Update copyright; remove a few annoying debugging printfs.

Btw, OpenBSD hit 25000 commits a couple commits ago.

Remove encap.h include; saner debugging printfs; fix buglets; work with
pfkeyv2.

make the packets which were successfully processed by IPSec available to
bpf via the enc0 interface, using linktype DLT_ENC.

avoid source address spoofing for mutual hostile hosts which have SAs to
us, reported by Craig Metz <cmetz@inner.net>.

first step to the setsockopt/getsockopt interface as described in
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal
userland key management applications when security services are requested.
this is only for outgoing connections at the moment, incoming packets
are not yet checked against the selected socket policy.

make it easier to add additional transforms. add blowfish and cast
encryption. some more info for kernfs/ipsec.

conditional error logging

log() needs a \n

expiration messages, fixes, updates, all sorts of things

enablespi/disablespi in encap + print spi's in hostorder

put old esp/ah and new esp/ah in different files.
generalised way of handling transforms.

major restructuring

hard and soft limits for SPI's per absolute timer, relative since establish,
relative since first use timers, packet and byte counters. notify key mgmt
on soft limits. key mgmt can now specify limits. new encap messages:
EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI

handle IP options in AH + allow IP options in outgoing encapsulated packets
+ usage counters for later use with keymanagement processes

ah-sha1 + esp-3des + indentation

I/O packet counters for IP-in-IP and AH.

OpenBSD tags + some prototyping police

IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz

Remove unused variable 'clen'.

ok bluhm@

Use per-CPU counters for tunnel descriptor block (TDB) statistics.
'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@

Protect the write access to the TDB flags field with a mutex per
TDB. Clearing the timeout flags just before pool put in tdb_free()
does not make sense. Move this to tdb_delete(). While there make
the parentheses in the flag check consistent.
tested by Hrvoje Popovski; OK tobhe@

Allow to build kernel without IPSEC or INET6 defines.
OK mpi@ mvs@

Add the new `ipsec_exctdb' ipsec(4) counter to count and expose to the
userland the TDBs which exceeded hard limit.

Also the `ipsec_notdb' counter description in header doesn't math to
netstat(1) description. We never count `ipsec_notdb' and the netstat(1)
description looks more appropriate so it's used to avoid confusion with
the new counter.

ok bluhm@

Do not call ip_deliver() recursively from IPsec. As there is no
crypto task anymore, it is possible to return the next protocol.
Then ip_deliver() will walk the header chain in its loop.
IPsec bridge(4) tested by jan@
OK mvs@ tobhe@ jan@

Fix use of uninitialized variable 'rpl'.

Found by jsg@
ok patrick@

Refactor ah_input() and ah_output() for new crypto API.

ok bluhm@

There are more m_pullup() in IPsec input. Pass down the pointer
to the mbuf to update it globally. At the end it will reach
ip_deliver() which expects a pointer to an mbuf.
OK sashan@

Remove crp_etype and return errors directly from crypto_invoke()

ok patrick@

Pass the error of the IPsec callback to the caller. The dropped
counter is handled there.
OK tobhe@

There is an m_pullup() down in AH input. As it may free or change
the mbuf, the callers must be careful. Although there is no bug,
use the common pattern to handle this. Pass down an mbuf pointer
mp and let m_pullup() update the pointer in all callers.
It looks like the tcp signature functions should not be called.
Avoid an mbuf leak and return an error.
OK mvs@

Retire asynchronous crypto API as it is no longer required by any driver and
adds unnecessary complexity. Dedicated crypto offloading devices are not common
anymore. Modern CPU crypto acceleration works synchronously, eliminating the need
for callbacks.

Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is
blocking and only returns after the operation has completed or an error occured.
Invoke callback functions directly from the consumer (e.g. IPsec, softraid)
instead of relying on the crypto driver to call crypto_done().

ok bluhm@ mvs@ patrick@

Make error handling in IPsec consistent. Pass errors to the callers.
OK tobhe@

Remove code to run crypto operations in a task queue. The code was
not reachable because all callers had set the CRYPTO_F_NOQUEUE flag.

ok patrick@ mvs@ bluhm@

The function crypto_dispatch() never returns an error. Make it
void and remove error handling in the callers.
OK patrick@ mvs@

The function ipip_output() was registered as .xf_output() xform
function. But was is never called via this pointer. It would have
immediatley crashed as mp is always NULL when called via .xf_output().
Do not set .xf_output to ipip_output. This allows to pass only the
parameters which are actually needed and the control flow is clearer.
OK mpi@

Revert "Use per-CPU counters for tunnel descriptor block" diff.

Panic reported by Hrvoje Popovski.

Use per-CPU counters for tunnel descriptor block (tdb) statistics.
'tdb_data' struct became unused and was removed.

ok bluhm@

Do not queue crypto operations for IPsec. The packet entries in
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@

The IPsec authentication before decryption used a different replay
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@

The xformsw array never changes. Declare struct xformsw constant
and map data read only.
OK deraadt@ mvs@ mpi@

Debug printfs in encdebug were inconsistent, some missing newlines
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@

The properties of the crypto algorithms never change. Declare them
constant. Then they are mapped as read only.
OK deraadt@ dlg@

The crypto(9) framework used by IPsec runs on a kernel task that
is protected by kernel lock. There were crashes in swcr_authenc()
when it was accessing swcr_sessions. As a quick fix, protect all
calls from network stack to crypto with kernel lock. This also
covers the rekeying case that is called from pfkey via tdb_init().
OK mvs@

we don't have to cast to caddr_t when calling m_copydata anymore.

the first cut of this diff was made with coccinelle using this spatch:

@rule@
type caddr_t;
expression m, off, len, cp;
@@
-m_copydata(m, off, len, (caddr_t)cp)
+m_copydata(m, off, len, cp)

i had fix it's opinionated idea of formatting by hand though, so
i'm not sure it was worth it.

ok deraadt@ bluhm@

Make sure the first packet of an SA has sequence number 1 (as described in
RFC 4302 and RFC 4303). It seems this was changed by accident when support
for 64 bit sequence numbers was added.

ok bluhm@ patrick@

remove the "copy function" argument to bpf_mtap_hdr.

it was previously (ab)used by pflog, which has since been fixed.
apart from that nothing else used it, so we can trim the cruft.

ok kn@ claudio@ visa@
visa@ also made sure i fixed ipw(4) so i386 won't break.

Add per-TDB counters and a new SADB extension to export them to
userland.

Inputs from markus@, ok sthen@

Introduce ipsec_output_cb() to merge duplicate code and account for
dropped packets in the output path.

While here fix a memory leak when compression is not needed w/ IPcomp.

ok markus@

Convert AH & IPcomp to ipsec_input_cb() and count drops on input.

ok markus@

Cleanup IPsec AH error handling with consistent goto drop.
with and OK markus@; input mpi@

Do not assume that mbufs within a chain do not have M_PKTHDR set.
This could happen during fragment reassembly. Better check if we
are dealing with the first mbuf of the chain.
m_adj() changes the length of the mbuf, obviously. So when using
this length to calulate the amount of adjustment, do not calculate
it again after m_adj() with wrong input. Use a temporary variable
to save the value.
from Maxime Villard, NetBSD; OK markus@ claudio@

branches: 1.138.2;
When processing IPsec AH packets check that the header fits into
the packet length.
found by Maxime Villard; from FreeBSD; OK procter@ markus@

make kernel compile again without INET6
ok mpi@

comment change only. ok bluhm@

Do some cleanup in ah_massage_headers().
- Declare global array ipseczeroes containing zeroes constant.
- The proto parameter contains the address family, so call it af.
- Remove an unused if block, just keep the else.
- If m_copyback(M_NOWAIT) fails, return with error instead of working
with an inconsistent mbuf.
- ip6_nxt is u_int8_t, no need to clear the high bits.
- The offset and next protocol are advanced for all extension
headers, move it after the switch.
- ah_massage_headers() returns an errno, call the variable error.
OK procter@

When processing IPsec AH packets with IP options or IPv6 extension
headers, check all lengths before accessing the values.
found by Maxime Villard; from NetBSD; with and OK markus@; OK patrick@

Make {ah,esp,ipcomp}stat use percpu counters.

OK bluhm@, mpi@

Use %s and __func__ in DPRINTF() to reduce false positive with grep(1).

ok kettenis@, dhill@, visa@, jca@

branches: 1.131.4;
Remove NET_LOCK()'s argument.

Tested by Hrvoje Popovski, ok bluhm@

add sizes to free() calls

branches: 1.129.4;
Put back a return that I have removed by accident.

IPsec packets could be dropped unaccounted if output after crypto
failed. Add a counter for that case.
OK dhill@

Reduce the per-packet allocation costs for crypto operations (cryptop)
by pre-allocating two cryptodesc objects and storing them in an array
instead of a linked list. If more than two cryptodesc objects are
required use mallocarray to fetch them. Adapt the drivers to the new
API.

This change results in one pool-get per ESP packet instead of three.
It also simplifies softraid crypto where more cryptodesc objects are
allocated than used.

From, with and ok markus@, ok bluhm@
"looks sane" mpi@

The return code of crp_callback is never checked, so it is not
useful to propagate the error. When an error occurs in an asynchronous
network path, incrementing a counter is the right thing. There are
four places where an error is not accounted, just add a comment for
now.
OK mpi@ visa@

Grab the NET_LOCK() in various callbacks.

Fix an assert reported by Hrvoje Popovski.

ok visa@, mikeb@

Grab the NET_LOCK() before calling ipsp_process_done() as it ends up
in ip_output().

Found the hardway by and ok kettenis@

convert bcopy to memcpy. from david hill.

avoid extensive mbuf allocation for IPsec by replacing m_inject(4)
with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@

fix panics caused by replacing m_copym2 with m_dup_pkt.

m_copym2 is fine duplicating an arbitrary chain of mbufs, while
m_dup_pkt wants to dup a packet with proper headers in the first
mbuf. ipsec copied the tail of an mbuf if any of the clusters are
shared or readonly, and swapped that tail with the result of m_copym2.

m_dup_pkt panics cos of that.

this makes ipsec duplicate the whole packet if any of the chain is
readonly.

found by naddy@ and mlarkin@
this fix is from visa@ who told me to commit it cos he's afk (sleeping)
tested by naddy@

replace the last uses of m_copym2 with m_dup_pkt.

ok mpi@ visa@

Sync no-argument function declaration and definition by adding (void).
ok mpi@ millert@

m_freem() can handle NULL, do not check for this condition beforehands.
ok stsp mpi

Use proper argument type for crp_callback functions; no functional change.

Stubs and support code for NIC-enabled IPsec bite the dust.
No objection from reyk@, OK markus, hshoexer

make ipsp_address thread safe; ok mpi

remove KPDK. not really used, and a bad choice anyway. ok naddy

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.

ok mikeb@, krw@, bluhm@, tedu@

Fewer <netinet/in_systm.h> !

add a size argument to free. will be used soon, but for now default to 0.
after discussions with beck deraadt kettenis.

bpf code surgery / shuffling / simplification.
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno

bzero/bcmp -> memset/memcmp. ok matthew

Replace all ovbcopy with memmove; swap the src and dst arguments too
ok otto

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

Merge of an original work by markus@ and gerhard@ to increase
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus

simplify checkreplaywindow() API; make call/return code handling consistent
ok mikeb@

add M_ZEROIZE as an mbuf flag, so copied PFKEY messages (with embedded keys)
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@

spltdb() was really just #define'd to be splsoftnet(); replace the former
with the latter

no change in md5 checksum of generated files

ok claudio@ henning@

remove the SADB_X_SAFLAGS_{HALFIV,RANDOMPADDING,NOREPLAY} pfkey-API (not set
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@

Add support for the Extended (64-bit) Sequence Number as defined
in RFC4302 and RFC4303. Right now only software crypto engine is
capable of doing it.

Replay check was rewritten to implement algorithm described in the
Appendix A of RFC4303 and the window size was increased to 64.

Tested against OpenBSD, Linux (strongswan) and Windows.

No objection from the usual suspects.

for key material that is being being discarded, convert bzero() to
explicit_bzero() where required
ok markus mikeb

Switch some obvious network stack MAC comparisons from bcmp() to
timingsafe_bcmp().

ok deraadt@; committed over WPA.

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

m_copyback can fail to allocate memory, but is a void fucntion so gymnastics
are required to detect that.

Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error

ok claudio@ henning@ krw@

Allow to specify an alternative enc(4) interface for an SA. All
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.

This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.

Discussed with many, tested by a few, will need more testing & review.

ok deraadt@